Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0007 ✕ technique: T1615 ✕

Show ATT&CK heatmap
  • Possible GPO Enumeration Informational Identity Analytics 2 variations

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Group Policy Discovery (T1615)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.

    Variations

    Suspicious GPO Enumeration by an LDAP tool

    Medium overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

    Possible GPO Enumeration by a Suspicious Process

    Low overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden